Este documento está disponível apenas em inglês por enquanto.
This Privacy Policy explains what personal data Spotlite processes, why, who we share it with, and the choices you have. It applies to the Spotlite Discord application (“the Bot”) and the Spotlite website at spotliteme.io (“the Hub”, and together with the Bot, “the Service”). It should be read alongside our Terms of Service.
Who is responsible for your data. Spotlite (the “Operator”, “we”, “us”) is responsible for the personal data described here. You can reach us about any privacy matter at [email protected].
1. Our approach: we store very little
Spotlite is built to collect and keep as little personal data as possible. We do not store your name or email address, we do not store payment-card numbers, we do not store IP addresses in our database, we run no analytics or tracking, and the Hub website sets no cookies. This policy explains exactly what we do process, and why.
2. The data we process
2.1 Your identifier
Spotlite identifies you by your Discord user ID (a numeric identifier assigned by Discord). We do not store your real name, your email address, or your Discord username — where a username is shown in moderation tools, it is fetched live from Discord and not saved by us. Under data-protection law a Discord ID is still an online identifier, so we treat it as personal data.
2.2 What we store about you
Depending on how you use Spotlite, we may hold:
- Language preference — the language you’ve chosen, so we can show messages in it.
- Saved-card references (only if you choose to save a card) — references provided by Stripe, plus your card’s brand and last four digits, and whether auto-pay is enabled. We never store your card number; that stays with Stripe.
- Promotions you book or create — the title, text, links, images, and video you submit, and a record that you booked the slot. Moderators’ review actions are also recorded.
- Auction bids — the bids and amounts you place.
- Likes — which promotions you’ve liked, when you like from within Discord. We keep this link only while the promotion is live: when its slot ends, the record is de-identified so that only an anonymous count and timestamp remain.
- Reports you make — that you reported a promotion, and the reason you gave.
- Payment records — references from Stripe (amount, currency, status, and Stripe identifiers) linked to a booking. No card data.
- Anti-abuse and reputation signals — for example, whether you are blocked, whether a card on file is required of you, counts of cancellations or defaults, and any temporary bidding restriction.
- Terms-acceptance records — that you accepted these Terms and this Policy, which version, when, in what context, and whether via Discord or the web. Each acceptance is tied to your Discord account, so it serves as proof of agreement without our needing to store your IP address or device information.
- Operator moderation records — if our team takes a moderation action, we may keep an internal note about a user or a server, including the reason for a platform-wide ban and a record of ban, unban, and appeal events. Where relevant, a short note about a ban may be shared with the administrators of communities you take part in, so that their moderation tools reflect the action. These records are written by the Operator and are kept for safety and fraud-prevention purposes.
2.3 If you administer a community
For server administrators we also process server-level details: your server’s Stripe connected- account reference, subscription and billing references, your Hub invite link, and snapshots of your server’s public information such as its name, icon, and member count.
2.4 Content you write or upload
Fields you write or upload — promotion text, report reasons, community descriptions, and uploaded images — may contain personal data if you choose to include it. Please do not put sensitive personal information into these fields. Images you upload as part of a promotion are stored in a publicly accessible location and are served publicly while the promotion is live, including on the Hub.
2.5 Technical data
Our hosting and infrastructure providers process IP addresses in standard server request logs, and we use IP-based rate-limiting to prevent abuse. We do not persist IP addresses or device information in our own database.
3. What we deliberately do not collect
- No real names or email addresses in our database. (Stripe’s checkout may collect an email for a receipt; that lives with Stripe, not with us.)
- No payment-card numbers — these are handled entirely by Stripe.
- No Discord login tokens.
- No IP addresses or device information persisted in our database.
- No cookies and no analytics on the Hub (see Section 7).
4. Why we process your data
- To operate the service — to run bookings, auctions, payments, display, and expiry of promotions.
- To process payments — through Stripe for marketplace transactions, and through Lemon Squeezy or Discord for subscriptions.
- To keep the service safe — moderation, reporting, automatic hiding, and the reputation system that limits repeat abuse.
- To prove agreement to our Terms — by keeping a record that you accepted them.
- To show content in your chosen language.
We rely on the following legal grounds, depending on the activity: performing our agreement with you (for bookings, payments, and providing the service); our legitimate interests (in preventing fraud and abuse, moderating content, keeping the service secure, and proving agreement to our Terms); and, where it applies, your consent.
5. Who we share your data with
We use a small set of trusted providers, each handling only what is needed:
- Discord — the platform Spotlite runs on, and the source of your user ID.
- Stripe — payment processing and secure card storage for marketplace payments, via Stripe Connect. Stripe handles payment data under its own terms.
- Supabase — our database and the storage for uploaded promotion images.
- Lemon Squeezy — merchant of record for community subscriptions. (Discord’s own monetization may be used as an alternative where enabled.)
- YouTube — when a promoter attaches a video, our server asks YouTube for the video’s title and thumbnail. This is a request about the video only; no visitor or member data is sent.
- Hosting and infrastructure providers — which process request logs, including IP addresses, to run and protect the service.
We do not sell your data, and we do not share it with advertising networks.
6. How long we keep your data, and how to delete it
If a community removes the Bot, nearly all data tied to that server is deleted automatically — including promotions, payments, bids, likes, reports, and saved cards — except your global language preference. Records that are not tied to a single server also remain: your terms-acceptance records (kept as proof of agreement) and any platform-level moderation records described in Section 2.2.
Uploaded images are deleted automatically when a promotion’s slot window ends.
You can erase your own data with /spotlite forget-me. You can run this command in any server
where the Bot is present. After a confirmation step, it globally deletes your saved-card references
(and the associated Stripe customer) and your language preference.
For safety reasons, /spotlite forget-me preserves anti-abuse and reputation signals and any
platform-ban record. When these are preserved, your Discord identifier within them is replaced
with a one-way cryptographic token, so the safety signal survives without our continuing to hold
your raw Discord ID against it. We rely on our legitimate interest in preventing fraud and abuse for
this, and we do not claim that it constitutes complete erasure while we retain the ability to match
the token.
Promotions you created, payments, bids, likes, and reports are also retained as transaction and moderation records. If you want data in this category erased, contact us at [email protected] and we will weigh your request against our record-keeping and anti-abuse obligations.
7. Cookies and website storage
The Spotlite Hub is designed to be privacy-respecting:
- No cookies. The Hub sets no cookies on any page, including when you like a promotion.
- No analytics or tracking. There are no analytics, advertising, tracking pixels, or external fonts.
- One functional browser storage item. If you click a like button, the Hub stores a small “liked / not liked” flag in your own browser so the heart displays correctly when you return. It contains no identifier and is not shared.
- Videos load only when you click. On promotion pages with a video, no contact is made with YouTube until you click to play; clicking then loads YouTube’s privacy-enhanced player. A plain link to watch on YouTube is always offered as an alternative.
Because we set no cookies, run no tracking, and load third-party media only when you choose to, we do not use a cookie-consent banner; the single functional storage item records the result of an action you took yourself.
8. Your rights
Subject to applicable law, including the GDPR for users in the EU and EEA, you may have the right to
access, correct, delete, restrict, or object to the processing of your personal data, to data
portability, and to withdraw consent where we rely on it. You can exercise much of this yourself
using /spotlite forget-me, or by contacting us at [email protected]. You also have the right to
lodge a complaint with your local data-protection supervisory authority.
9. Children
Spotlite is not directed to children. You must meet the age requirement set out in our Terms of Service, and Discord’s own minimum age, to use Spotlite. We do not knowingly process data from anyone below the required age.
10. Changes to this policy
We may update this policy from time to time. We will change the “last updated” date above and, for material changes, make reasonable efforts to notify users.
11. Contact
For any privacy question or request, contact us at [email protected].
Spotlite is currently in a pre-launch / testing phase. This policy may be updated as the service develops.